I've been looking at get a code signing certificate, and I'm starting to doubt that certificates are 'fit for purpose'. Bearing in mind we are warned to check that web sites use secure pages when we enter confidential information, it seems the only criterion for getting a certificate is the ability to pay.